source4/auth/ntlmssp/ntlmssp_client.c

   1 /*
   2    Unix SMB/Netbios implementation.
   3    Version 3.0
   4    handle NLTMSSP, client server side parsing
   5
   6    Copyright (C) Andrew Tridgell      2001
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2005
   8    Copyright (C) Stefan Metzmacher 2005
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23
  24 #include "includes.h"
  25 #include "auth/ntlmssp/ntlmssp.h"
  26 #include "auth/ntlmssp/msrpc_parse.h"
  27 #include "lib/crypto/crypto.h"
  28 #include "libcli/auth/libcli_auth.h"
  29 #include "auth/credentials/credentials.h"
  30 #include "auth/gensec/gensec.h"
  31 #include "param/param.h"
  32
  33 /*********************************************************************
  34  Client side NTLMSSP
  35 *********************************************************************/
  36
  37 /**
  38  * Next state function for the Initial packet
  39  *
  40  * @param ntlmssp_state NTLMSSP State
  41  * @param out_mem_ctx The DATA_BLOB *out will be allocated on this context
  42  * @param in A NULL data blob (input ignored)
  43  * @param out The initial negotiate request to the server, as an talloc()ed DATA_BLOB, on out_mem_ctx
  44  * @return Errors or NT_STATUS_OK.
  45  */
  46
  47 NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security,
  48                                 TALLOC_CTX *out_mem_ctx,
  49                                 DATA_BLOB in, DATA_BLOB *out)
  50 {
  51         struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data;
  52
  53         if (gensec_ntlmssp_state->unicode) {
  54                 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
  55         } else {
  56                 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM;
  57         }
  58
  59         if (gensec_ntlmssp_state->use_ntlmv2) {
  60                 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
  61         }
  62
  63         /* generate the ntlmssp negotiate packet */
  64         msrpc_gen(out_mem_ctx,
  65                   out, "CddAA",
  66                   "NTLMSSP",
  67                   NTLMSSP_NEGOTIATE,
  68                   gensec_ntlmssp_state->neg_flags,
  69                   gensec_ntlmssp_state->domain,
  70                   cli_credentials_get_workstation(gensec_security->credentials));
  71
  72         gensec_ntlmssp_state->expected_state = NTLMSSP_CHALLENGE;
  73
  74         return NT_STATUS_MORE_PROCESSING_REQUIRED;
  75 }
  76
  77 /**
  78  * Next state function for the Challenge Packet.  Generate an auth packet.
  79  *
  80  * @param gensec_security GENSEC state
  81  * @param out_mem_ctx Memory context for *out
  82  * @param in The server challnege, as a DATA_BLOB.  reply.data must be NULL
  83  * @param out The next request (auth packet) to the server, as an allocated DATA_BLOB, on the out_mem_ctx context
  84  * @return Errors or NT_STATUS_OK.
  85  */
  86
  87 NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
  88                                   TALLOC_CTX *out_mem_ctx,
  89                                   const DATA_BLOB in, DATA_BLOB *out)
  90 {
  91         struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data;
  92         uint32_t chal_flags, ntlmssp_command, unkn1, unkn2;
  93         DATA_BLOB server_domain_blob;
  94         DATA_BLOB challenge_blob;
  95         DATA_BLOB target_info = data_blob(NULL, 0);
  96         char *server_domain;
  97         const char *chal_parse_string;
  98         const char *auth_gen_string;
  99         DATA_BLOB lm_response = data_blob(NULL, 0);
 100         DATA_BLOB nt_response = data_blob(NULL, 0);
 101         DATA_BLOB session_key = data_blob(NULL, 0);
 102         DATA_BLOB lm_session_key = data_blob(NULL, 0);
 103         DATA_BLOB encrypted_session_key = data_blob(NULL, 0);
 104         NTSTATUS nt_status;
 105         int flags = 0;
 106         const char *user, *domain;
 107
 108         TALLOC_CTX *mem_ctx = talloc_new(out_mem_ctx);
 109         if (!mem_ctx) {
 110                 return NT_STATUS_NO_MEMORY;
 111         }
 112
 113         if (!msrpc_parse(mem_ctx,
 114                          &in, "CdBd",
 115                          "NTLMSSP",
 116                          &ntlmssp_command,
 117                          &server_domain_blob,
 118                          &chal_flags)) {
 119                 DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
 120                 dump_data(2, in.data, in.length);
 121                 talloc_free(mem_ctx);
 122
 123                 return NT_STATUS_INVALID_PARAMETER;
 124         }
 125
 126         data_blob_free(&server_domain_blob);
 127
 128         DEBUG(3, ("Got challenge flags:\n"));
 129         debug_ntlmssp_flags(chal_flags);
 130
 131         ntlmssp_handle_neg_flags(gensec_ntlmssp_state, chal_flags, gensec_ntlmssp_state->allow_lm_key);
 132
 133         if (gensec_ntlmssp_state->unicode) {
 134                 if (chal_flags & NTLMSSP_CHAL_TARGET_INFO) {
 135                         chal_parse_string = "CdUdbddB";
 136                 } else {
 137                         chal_parse_string = "CdUdbdd";
 138                 }
 139                 auth_gen_string = "CdBBUUUBd";
 140         } else {
 141                 if (chal_flags & NTLMSSP_CHAL_TARGET_INFO) {
 142                         chal_parse_string = "CdAdbddB";
 143                 } else {
 144                         chal_parse_string = "CdAdbdd";
 145                 }
 146
 147                 auth_gen_string = "CdBBAAABd";
 148         }
 149
 150         if (!msrpc_parse(mem_ctx,
 151                          &in, chal_parse_string,
 152                          "NTLMSSP",
 153                          &ntlmssp_command,
 154                          &server_domain,
 155                          &chal_flags,
 156                          &challenge_blob, 8,
 157                          &unkn1, &unkn2,
 158                          &target_info)) {
 159                 DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#2)\n"));
 160                 dump_data(2, in.data, in.length);
 161                 talloc_free(mem_ctx);
 162                 return NT_STATUS_INVALID_PARAMETER;
 163         }
 164
 165         gensec_ntlmssp_state->server_domain = server_domain;
 166
 167         if (challenge_blob.length != 8) {
 168                 talloc_free(mem_ctx);
 169                 return NT_STATUS_INVALID_PARAMETER;
 170         }
 171
 172         cli_credentials_get_ntlm_username_domain(gensec_security->credentials, mem_ctx,
 173                                                  &user, &domain);
 174
 175         if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
 176                 flags |= CLI_CRED_NTLM2;
 177         }
 178         if (gensec_ntlmssp_state->use_ntlmv2) {
 179                 flags |= CLI_CRED_NTLMv2_AUTH;
 180         }
 181         if (gensec_ntlmssp_state->use_nt_response) {
 182                 flags |= CLI_CRED_NTLM_AUTH;
 183         }
 184         if (lp_client_lanman_auth(global_loadparm)) {
 185                 flags |= CLI_CRED_LANMAN_AUTH;
 186         }
 187
 188         nt_status = cli_credentials_get_ntlm_response(gensec_security->credentials, mem_ctx,
 189                                                       &flags, challenge_blob, target_info,
 190                                                       &lm_response, &nt_response,
 191                                                       &lm_session_key, &session_key);
 192
 193         if (!NT_STATUS_IS_OK(nt_status)) {
 194                 return nt_status;
 195         }
 196
 197         if (!(flags & CLI_CRED_LANMAN_AUTH)) {
 198                 /* LM Key is still possible, just silly.  Fortunetly
 199                  * we require command line options to end up here */
 200                 /* gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; */
 201         }
 202
 203         if (!(flags & CLI_CRED_NTLM2)) {
 204                 /* NTLM2 is incompatible... */
 205                 gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
 206         }
 207
 208         if ((gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
 209             && lp_client_lanman_auth(global_loadparm) && lm_session_key.length == 16) {
 210                 DATA_BLOB new_session_key = data_blob_talloc(mem_ctx, NULL, 16);
 211                 if (lm_response.length == 24) {
 212                         SMBsesskeygen_lm_sess_key(lm_session_key.data, lm_response.data,
 213                                                   new_session_key.data);
 214                 } else {
 215                         static const uint8_t zeros[24];
 216                         SMBsesskeygen_lm_sess_key(lm_session_key.data, zeros,
 217                                                   new_session_key.data);
 218                 }
 219                 session_key = new_session_key;
 220                 dump_data_pw("LM session key\n", session_key.data, session_key.length);
 221         }
 222
 223
 224         /* Key exchange encryptes a new client-generated session key with
 225            the password-derived key */
 226         if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
 227                 /* Make up a new session key */
 228                 uint8_t client_session_key[16];
 229                 generate_random_buffer(client_session_key, sizeof(client_session_key));
 230
 231                 /* Encrypt the new session key with the old one */
 232                 encrypted_session_key = data_blob_talloc(gensec_ntlmssp_state,
 233                                                          client_session_key, sizeof(client_session_key));
 234                 dump_data_pw("KEY_EXCH session key:\n", encrypted_session_key.data, encrypted_session_key.length);
 235                 arcfour_crypt(encrypted_session_key.data, session_key.data, encrypted_session_key.length);
 236                 dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length);
 237
 238                 /* Mark the new session key as the 'real' session key */
 239                 session_key = data_blob_talloc(mem_ctx, client_session_key, sizeof(client_session_key));
 240         }
 241
 242         DEBUG(3, ("NTLMSSP: Set final flags:\n"));
 243         debug_ntlmssp_flags(gensec_ntlmssp_state->neg_flags);
 244
 245         /* this generates the actual auth packet */
 246         if (!msrpc_gen(mem_ctx,
 247                        out, auth_gen_string,
 248                        "NTLMSSP",
 249                        NTLMSSP_AUTH,
 250                        lm_response.data, lm_response.length,
 251                        nt_response.data, nt_response.length,
 252                        domain,
 253                        user,
 254                        cli_credentials_get_workstation(gensec_security->credentials),
 255                        encrypted_session_key.data, encrypted_session_key.length,
 256                        gensec_ntlmssp_state->neg_flags)) {
 257                 talloc_free(mem_ctx);
 258                 return NT_STATUS_NO_MEMORY;
 259         }
 260
 261         gensec_ntlmssp_state->session_key = session_key;
 262         talloc_steal(gensec_ntlmssp_state, session_key.data);
 263
 264         talloc_steal(out_mem_ctx, out->data);
 265
 266         gensec_ntlmssp_state->chal = challenge_blob;
 267         gensec_ntlmssp_state->lm_resp = lm_response;
 268         talloc_steal(gensec_ntlmssp_state->lm_resp.data, lm_response.data);
 269         gensec_ntlmssp_state->nt_resp = nt_response;
 270         talloc_steal(gensec_ntlmssp_state->nt_resp.data, nt_response.data);
 271
 272         gensec_ntlmssp_state->expected_state = NTLMSSP_DONE;
 273
 274         if (gensec_security->want_features & (GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL)) {
 275                 nt_status = ntlmssp_sign_init(gensec_ntlmssp_state);
 276                 if (!NT_STATUS_IS_OK(nt_status)) {
 277                         DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n",
 278                                   nt_errstr(nt_status)));
 279                         talloc_free(mem_ctx);
 280                         return nt_status;
 281                 }
 282         }
 283
 284         talloc_free(mem_ctx);
 285         return NT_STATUS_OK;
 286 }
 287
 288 NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
 289 {
 290         struct gensec_ntlmssp_state *gensec_ntlmssp_state;
 291         NTSTATUS nt_status;
 292
 293         nt_status = gensec_ntlmssp_start(gensec_security);
 294         NT_STATUS_NOT_OK_RETURN(nt_status);
 295
 296         gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data;
 297
 298         gensec_ntlmssp_state->role = NTLMSSP_CLIENT;
 299
 300         gensec_ntlmssp_state->domain = lp_workgroup(global_loadparm);
 301
 302         gensec_ntlmssp_state->unicode = lp_parm_bool(global_loadparm, NULL, "ntlmssp_client", "unicode", true);
 303
 304         gensec_ntlmssp_state->use_nt_response = lp_parm_bool(global_loadparm, NULL, "ntlmssp_client", "send_nt_reponse", true);
 305
 306         gensec_ntlmssp_state->allow_lm_key = (lp_client_lanman_auth(global_loadparm)
 307                                               && (lp_parm_bool(global_loadparm, NULL, "ntlmssp_client", "allow_lm_key", false)
 308                                                   || lp_parm_bool(global_loadparm, NULL, "ntlmssp_client", "lm_key", false)));
 309
 310         gensec_ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth(global_loadparm);
 311
 312         gensec_ntlmssp_state->expected_state = NTLMSSP_INITIAL;
 313
 314         gensec_ntlmssp_state->neg_flags =
 315                 NTLMSSP_NEGOTIATE_NTLM |
 316                 NTLMSSP_REQUEST_TARGET;
 317
 318         if (lp_parm_bool(global_loadparm, NULL, "ntlmssp_client", "128bit", true)) {
 319                 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128;
 320         }
 321
 322         if (lp_parm_bool(global_loadparm, NULL, "ntlmssp_client", "56bit", false)) {
 323                 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56;
 324         }
 325
 326         if (lp_parm_bool(global_loadparm, NULL, "ntlmssp_client", "lm_key", false)) {
 327                 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
 328         }
 329
 330         if (lp_parm_bool(global_loadparm, NULL, "ntlmssp_client", "keyexchange", true)) {
 331                 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH;
 332         }
 333
 334         if (lp_parm_bool(global_loadparm, NULL, "ntlmssp_client", "alwayssign", true)) {
 335                 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
 336         }
 337
 338         if (lp_parm_bool(global_loadparm, NULL, "ntlmssp_client", "ntlm2", true)) {
 339                 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
 340         } else {
 341                 /* apparently we can't do ntlmv2 if we don't do ntlm2 */
 342                 gensec_ntlmssp_state->use_ntlmv2 = False;
 343         }
 344
 345         if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) {
 346                 /*
 347                  * We need to set this to allow a later SetPassword
 348                  * via the SAMR pipe to succeed. Strange.... We could
 349                  * also add  NTLMSSP_NEGOTIATE_SEAL here. JRA.
 350                  *
 351                  * Without this, Windows will not create the master key
 352                  * that it thinks is only used for NTLMSSP signing and
 353                  * sealing.  (It is actually pulled out and used directly)
 354                  */
 355                 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
 356         }
 357         if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
 358                 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
 359         }
 360         if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
 361                 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
 362         }
 363
 364         gensec_security->private_data = gensec_ntlmssp_state;
 365
 366         return NT_STATUS_OK;
 367 }
 368